SMIMEA / OPENPGPKEY Lookup
Look up online SMIMEA and OPENPGPKEY DNS records with owner derivation, resolver comparison, payload parsing, DNSSEC evidence, and exportable audit rows.{{ activeFamily.summaryTitle }}
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
| {{ header }} | Copy | ||||||
|---|---|---|---|---|---|---|---|
| {{ row.index }} | {{ row.owner }} | {{ row.ttl }} | {{ row.detailA }} | {{ row.detailB }} | {{ row.detailC }} | {{ row.notes }} |
| Resolver | Outcome | Records | AD | TTL / negative cache | Time (ms) | Set digest | Alias chain | Copy |
|---|---|---|---|---|---|---|---|---|
| {{ row.resolver }} | {{ row.outcome }} | {{ row.records }} | {{ row.ad }} | {{ row.ttl }} | {{ row.time }} | {{ row.digest }} | {{ row.aliasChain }} |
By copying or publishing this embed code, you are responsible for how the tool appears and is used on your website.
- The embedded tool is provided for general informational and utility purposes only. It is not professional, legal, financial, medical, safety, or compliance advice.
- Results depend on the inputs, browser behavior, available data sources, and the current version of the tool. Review important results before relying on them.
- You are responsible for the surrounding page context, labels, instructions, privacy notices, accessibility, and any laws or policies that apply to your website.
- Do not embed the tool in a misleading, unlawful, harmful, or security-sensitive context.
- Simplified Tools may update, limit, suspend, or remove tools and embed behavior without prior notice.
- Analytics, network requests, cookies, browser storage, third-party services, and query parameters may apply depending on the tool and the embedding page.
If these terms do not work for your use case, do not embed the tool.
Introduction
SMIMEA and OPENPGPKEY records publish mail identity material in DNS. SMIMEA associates an S/MIME certificate with an email identity. OPENPGPKEY associates an OpenPGP transferable public key with an email identity.
Both record families avoid putting the raw mailbox local part directly in the owner name. The local part is canonicalized, hashed with SHA-256, truncated to the DNS label length used by the standards, and placed under a fixed family label such as _smimecert or _openpgpkey.
Because trust depends on DNSSEC, the returned record is only part of the answer. Resolver AD status, TTL, negative caching, alias chains, and resolver agreement all matter when deciding whether the publication is ready to rely on.
Technical Details
For a derived lookup, the tool parses a single mailbox, converts the domain to DNS ASCII form, canonicalizes the local part according to the selected family, hashes it with SHA-256, and uses the leftmost 28 octets as the DNS label. Manual-owner mode skips mailbox derivation and queries the owner name supplied by the user.
| SMIMEA owner | hash-label._smimecert.example.com |
| OPENPGPKEY owner | hash-label._openpgpkey.example.com |
| Hash label | leftmost 56 hex characters of SHA-256(local part) |
| Resolver modes | Cloudflare, Google Public DNS, or automatic primary selection |
| Trust signal | DNSSEC AD flag plus answer content and resolver agreement |
The lookup uses public DNS-over-HTTPS JSON endpoints. It parses SMIMEA usage, selector, matching type, and association data when records are returned. OPENPGPKEY payloads are decoded as DNS key blobs and summarized with size, preview, and payload SHA-256. CNAMEs, no-data answers, NXDOMAIN, transport errors, TTL, and negative cache hints are preserved in the result tables.
Everyday Use & Decision Guide
Use derived mode for normal checks. Enter one mailbox and select SMIMEA or OPENPGPKEY. Use manual-owner mode when debugging an exact DNS name from a zone file, resolver log, or external diagnostic.
- Use Identity DNS Brief to see the main outcome, owner, resolver, AD flag, TTL, and answer count.
- Use Owner Name Build to verify the hash label and family suffix before publishing.
- Use SMIMEA Payload or OPENPGPKEY Payload to inspect returned association details.
- Use Resolver Evidence when Cloudflare and Google might disagree because of cache timing or DNSSEC validation status.
A returned key or certificate should not be treated as final proof if AD is false or resolver answers disagree. Confirm authoritative DNS and client support before using the result for sensitive mail workflows.
Step-by-Step Guide
- Select SMIMEA or OPENPGPKEY.
- Choose derived mailbox lookup or manual owner.
- Pick a resolver or enable comparison across both supported public resolvers.
- Run the lookup and review AD status, result type, TTL, and payload rows.
- Copy rows or export CSV, DOCX, or JSON for DNS publication evidence.
Interpreting Results
Record found means a target RRset was returned. For SMIMEA, still check usage, selector, matching type, and association length. For OPENPGPKEY, verify the published key against the intended fingerprint or key management record.
AD false means the recursive response did not carry authenticated DNSSEC data. That does not prove the record is wrong, but it weakens the evidence the lookup can provide.
No data and NXDOMAIN are different. No data can mean the owner exists without that RR type. NXDOMAIN means the owner name was not found, and the negative cache hint can explain why a fresh publication is not visible yet.
Worked Examples
S/MIME publication check. Enter alice@example.com, select SMIMEA, and keep derived owner mode. The owner tab shows the hash-label name that should exist under _smimecert.example.com.
OpenPGP rollover. Select OPENPGPKEY and compare resolvers. If one resolver returns the old payload and the other returns the new payload, wait for cache convergence or check authoritative DNS before announcing the change.
Manual owner debugging. Paste a full owner from a zone file when a mailbox lookup does not match expected publication. The result tells you whether the exact owner returns data, no data, an alias-only answer, or a transport problem.
FAQ
Why is my email address turned into a long hex label?
The standards hash the local part so unusual mailbox characters do not become raw DNS labels. The tool shows both the full SHA-256 and truncated label.
Does a record found result prove the key is safe to use?
No. Check DNSSEC AD status, resolver agreement, and the expected certificate or key identity before relying on the result.
Why does the payload hash differ from an OpenPGP fingerprint?
The payload SHA-256 is computed over the DNS key blob returned by the resolver. It is not the OpenPGP fingerprint itself.
Why might a new record still show as absent?
Resolvers can cache negative answers. The brief may show a negative cache time when SOA data provides one.
Glossary
- SMIMEA
- DNS record type for S/MIME certificate association.
- OPENPGPKEY
- DNS record type for OpenPGP public key material.
- AD flag
- Authenticated Data flag returned by a validating DNSSEC resolver.
- Owner name
- The DNS name queried for the record.